Question No: 461 – (Topic 3)

Which of the following is characterized by an attacker attempting to map out an

organization’s staff hierarchy in order to send targeted emails?

Whaling

Impersonation

Privilege escalation

Spear phishing

Answer: A Explanation:

A whaling attack is targeted at company executives. Mapping out an organization’s staff hierarchy to determine who the people at the top are is also part of a whaling attack.

Whaling is a specific kind of malicious hacking within the more general category of phishing, which involves hunting for data that can be used by the hacker. In general, phishing efforts are focused on collecting personal data about users. In whaling, the targets are high-ranking bankers, executives or others in powerful positions or job titles.

Hackers who engage in whaling often describe these efforts as quot;reeling in a big fish,quot; applying a familiar metaphor to the process of scouring technologies for loopholes and opportunities for data theft. Those who are engaged in whaling may, for example, hack into specific networks where these powerful individuals work or store sensitive data. They may also set up keylogging or other malware on a work station associated with one of these executives. There are many ways that hackers can pursue whaling, leading C-level or top- level executives in business and government to stay vigilant about the possibility of cyber threats.

Question No: 462 – (Topic 3)

Which of the following is BEST utilized to actively test security controls on a particular system?

Port scanning

Penetration test

Vulnerability scanning

Grey/Gray box

Answer: B Explanation:

Penetration testing is the most intrusive type of testing because you are actively trying to circumvent the system’s security controls to gain access to the system.

Penetration testing (also called pen testing) is the practice of testing a computer system,

network or Web application to find vulnerabilities that an attacker could exploit.

Pen tests can be automated with software applications or they can be performed manually. Either way, the process includes gathering information about the target before the test (reconnaissance), identifying possible entry points, attempting to break in (either virtually or for real) and reporting back the findings.

The main objective of penetration testing is to determine security weaknesses. A pen test can also be used to test an organization#39;s security policy compliance, its employees#39; security awareness and the organization#39;s ability to identify and respond to security incidents.

Penetration tests are sometimes called white hat attacks because in a pen test, the good guys are attempting to break in.

Pen test strategies include: Targeted testing

Targeted testing is performed by the organization#39;s IT team and the penetration testing team working together. It#39;s sometimes referred to as a quot;lights-turned-onquot; approach because everyone can see the test being carried out.

External testing

This type of pen test targets a company#39;s externally visible servers or devices including domain name servers (DNS), e-mail servers, Web servers or firewalls. The objective is to find out if an outside attacker can get in and how far they can get in once they#39;ve gained access.

Internal testing

This test mimics an inside attack behind the firewall by an authorized user with standard access privileges. This kind of test is useful for estimating how much damage a disgruntled employee could cause.

Blind testing

A blind test strategy simulates the actions and procedures of a real attacker by severely limiting the information given to the person or team that#39;s performing the test beforehand. Typically, they may only be given the name of the company. Because this type of test can require a considerable amount of time for reconnaissance, it can be expensive.

Double blind testing

Double blind testing takes the blind test and carries it a step further. In this type of pen test, only one or two people within the organization might be aware a test is being conducted.

Double-blind tests can be useful for testing an organization#39;s security monitoring and

incident identification as well as its response procedures.

Question No: 463 – (Topic 3)

Which of the following attacks would cause all mobile devices to lose their association with corporate access points while the attack is underway?

Wireless jamming

Evil twin

Rogue AP

Packet sniffing

Answer: A Explanation:

When most people think of frequency jamming, what comes to mind are radio, radar and cell phone jamming. However, any communication that uses radio frequencies can be jammed by a strong radio signal in the same frequency. In this manner, Wi-Fi may be attacked with a network jamming attack, reducing signal quality until it becomes unusable or disconnects occur. With very similar methods, a focused and aimed signal can actually break access point hardware, as with equipment destruction attacks.

Question No: 464 – (Topic 3)

Pete, a developer, writes an application. Jane, the security analyst, knows some things about the overall application but does not have all the details. Jane needs to review the software before it is released to production. Which of the following reviews should Jane conduct?

Gray Box Testing

Black Box Testing

Business Impact Analysis

White Box Testing

Answer: A Explanation:

Gray box testing, also called gray box analysis, is a strategy for software debugging in

which the tester has limited knowledge of the internal details of the program. A gray box is a device, program or system whose workings are partially understood.

Gray box testing can be contrasted with black box testing, a scenario in which the tester has no knowledge or access to the internal workings of a program, or white box testing, a scenario in which the internal particulars are fully known. Gray box testing is commonly used in penetration tests.

Gray box testing is considered to be non-intrusive and unbiased because it does not require that the tester have access to the source code. With respect to internal processes, gray box testing treats a program as a black box that must be analyzed from the outside. During a gray box test, the person may know how the system components interact but not have detailed knowledge about internal program functions and operation. A clear distinction exists between the developer and the tester, thereby minimizing the risk of personnel conflicts.

Question No: 465 – (Topic 3)

During a routine audit a web server is flagged for allowing the use of weak ciphers. Which of the following should be disabled to mitigate this risk? (Select TWO).

SSL 1.0

RC4

SSL 3.0

AES

DES

TLS 1.0

Answer: A,E Explanation:

TLS 1.0 and SSL 1.0 both have known vulnerabilities and have been replaced by later versions. Any systems running these ciphers should have them disabled.

Transport Layer Security (TLS) and its predecessor, Secure Sockets Layer (SSL), are cryptographic protocols designed to provide communications security over a computer network. They use X.509 certificates and hence asymmetric cryptography to authenticate the counterparty with whom they are communicating, and to exchange a symmetric key. This session key is then used to encrypt data flowing between the parties. This allows for data/message confidentiality, and message authentication codes for message integrity and as a by-product, message authentication

Netscape developed the original SSL protocol. Version 1.0 was never publicly released

because of serious security flaws in the protocol; version 2.0, released in February 1995, quot;contained a number of security flaws which ultimately led to the design of SSL version 3.0″.

TLS 1.0 was first defined in RFC 2246 in January 1999 as an upgrade of SSL Version 3.0. As stated in the RFC, quot;the differences between this protocol and SSL 3.0 are not dramatic, but they are significant enough to preclude interoperability between TLS 1.0 and SSL 3.0quot;. TLS 1.0 does include a means by which a TLS implementation can downgrade the connection to SSL 3.0, thus weakening security.

TLS 1.1 and then TLS 1.2 were created to replace TLS 1.0.

Question No: 466 – (Topic 3)

Matt, an administrator, is concerned about the wireless network being discovered by war driving.

Which of the following can be done to mitigate this?

Enforce a policy for all users to authentic through a biometric device.

Disable all SSID broadcasting.

Ensure all access points are running the latest firmware.

Move all access points into public access areas.

Answer: B Explanation:

B: War driving is the act of using a detection tool to look for wireless networking signals. The setting making a wireless network closed (or at least hidden) is the disabling of service set identifier (SSID) broadcasting. Thus by disabling all SSID broadcasting you can mitigate the risk of war driving.

Question No: 467 – (Topic 3)

An administrator has a network subnet dedicated to a group of users. Due to concerns regarding data and network security, the administrator desires to provide network access for this group only. Which of the following would BEST address this desire?

Install a proxy server between the users’ computers and the switch to filter inbound network traffic.

Block commonly used ports and forward them to higher and unused port numbers.

Configure the switch to allow only traffic from computers based upon their physical address.

Configuring the switch to allow only traffic from computers based upon their physical address is known as MAC filtering. The physical address is known as the MAC address. Every network adapter has a unique MAC address hardcoded into the adapter.

You can configure the ports of a switch to allow connections from computers with specific MAC addresses only and block all other MAC addresses.

MAC filtering is commonly used in wireless networks but is considered insecure because a MAC address can be spoofed. However, in a wired network, it is more secure because it would be more difficult for a rogue computer to sniff a MAC address.

Question No: 468 – (Topic 3)

Which of the following wireless protocols could be vulnerable to a brute-force password attack? (Select TWO).

WPA2-PSK

WPA – EAP – TLS

WPA2-CCMP

WPA -CCMP

WPA – LEAP

WEP

Answer: A,E Explanation:

A brute force attack is an attack that attempts to guess a password. WPA2-PSK and WEP both use a “Pre-Shared Key”. The pre-shared key is a password and therefore is susceptible to a brute force attack.

Question No: 469 – (Topic 3)

Which of the following would a security administrator implement in order to identify change from the standard configuration on a server?

Penetration test

Code review

Baseline review

Design review

Answer: C Explanation:

The standard configuration on a server is known as the baseline.

The IT baseline protection approach is a methodology to identify and implement computer security measures in an organization. The aim is the achievement of an adequate and appropriate level of security for IT systems. This is known as a baseline.

A baseline report compares the current status of network systems in terms of security updates, performance or other metrics to a predefined set of standards (the baseline).

Question No: 470 – (Topic 3)

Suspicious traffic without a specific signature was detected. Under further investigation, it was determined that these were false indicators. Which of the following security devices needs to be configured to disable future false alarms?

Signature based IPS

Signature based IDS

Application based IPS

Anomaly based IDS

Answer: D Explanation:

Most intrusion detection systems (IDS) are what is known as signature-based. This means that they operate in much the same way as a virus scanner, by searching for a known identity – or signature – for each specific intrusion event. And, while signature-based IDS is very efficient at sniffing out known s of attack, it does, like anti-virus software, depend on receiving regular signature updates, to keep in touch with variations in hacker technique. In other words, signature-based IDS is only as good as its database of stored signatures.

Any organization wanting to implement a more thorough – and hence safer – solution,

should consider what we call anomaly-based IDS. By its nature, anomaly-based IDS is a rather more complex creature. In network traffic terms, it captures all the headers of the IP packets running towards the network. From this, it filters out all known and legal traffic, including web traffic to the organization#39;s web server, mail traffic to and from its mail server, outgoing web traffic from company employees and DNS traffic to and from its DNS server.

There are other equally obvious advantages to using anomaly-based IDS. For example, because it detects any traffic that is new or unusual, the anomaly method is particularly good at identifying sweeps and probes towards network hardware. It can, therefore, give early warnings of potential intrusions, because probes and scans are the predecessors of all attacks. And this applies equally to any new service installed on any item of hardware – for example, Telnet deployed on a network router for maintenance purposes and forgotten about when the maintenance was finished. This makes anomaly-based IDS perfect for detecting anything from port anomalies and web anomalies to mis-formed attacks, where the URL is deliberately mis-typed.